If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Enjoy an ad free experience by logging in. Not a member yet? Register.

Website Security

I run a dynamic PHP/MySQL membership website, and a competitor site has been constantly hacking us. I have a few backups, so thank fully I can restore the site to its normal state. But after I restore it they can still hack it very easily. I have checked through all my code and I cannot find any vulnerabilities. I suspected that they were using XSS, so I installed a script called html purifier. Still they were able to hack into the system. After they had hacked the system they were using the private message facility to send lots of abusive messages out using my username.

I think they might be some how modifying the user sessions to impersonate our website staff. Some how they had managed to post over 300 messages onto the forums in under a minute, and I could not trace the ip address of the poster.

There is no way to gain access to the session data unless they can physically hack into the server itself. Even then they would need to upload and run their own custom php code to scan through all the session files and integrate with your system.

I suspect your login system or one of your forms has some weakpoints. You've shown us the completely wrong thing.

Show the code for your login, registration and any contact forms you have.

You are using unencrypted session variables. Yes, the session file is located on the server, not client side like a cookie, BUT those values can still be manipulated. I suggest using a token system and some type of encryption to prevent session hijacking (thats what is sounds like to me.)

I noticed this line specifically:
$sql = mysql_query("SELECT * FROM members WHERE id='$userid'");

Start off simple. Session hijacking is the least likely, as it's the hardest to do. It involves sniffing your traffic etc. etc. and is just unlikely.

The most common is SQL Injection, so I would check that you're validating user input that is being entered into queries, using mysql_real_escape_string().

Also, your file that you're including connect_to_mysql.php. It's possible they might know where that file is, and could easily include that into a script of their own from a different URL dependant on a couple of php configuration settings, so it might be worth moving this above the web root (the folder above public_html or www). That way, they physically can't get access to it, without having a script on your server.

Which leaves XSS. Ensure there's no unvalidated user uploads, or inputs, that point to a file location. Ensure you use something like $_SERVER['DOCUMENT_ROOT'] prefixed to file locations that are user provided. Also validate file uploads, by ensuring file types and disallowing certain types and sizes.

Your actual 'check if logged in' portion isn't great. It's easy to find out a user id, and if someone was able to set their id as a user id, they'd be logged in as that user. I'm not actually sure how easy, or hard, it would be to set a $_SESSION variable like that however. I would suggest rethinking that part, by validating the user's 'last logged in ip' in the table with the current IP, and validate on some sort of token set at login, also stored on login.

Also, like perplexed says, don't retrieve your password through the mysql. It could be sniffed out that way. Limit the fields in the query to the fields you require.

And of course, make sure you're using sha1() for your passwords, to hash them so that no-one can see them in plain text.